sys/hardware/printing: limit interfaces on which port 5353 is open

author: Alejandro Soto <alejandro@34project.org> 2024-08-15 14:50:15 -0600
committer: Alejandro Soto <alejandro@34project.org> 2024-08-15 14:50:15 -0600
commit: 97e829e24e9fdb68d8e989c2703cee9803a2e82f (patch)
tree: 9bc112fc1f2b108f90e9998229903a6dde130c19 /sys/hardware/printing.nix
parent: c110570f008472958bd700d04f02fa3d1f9209fe (diff)
1 files changed, 16 insertions, 1 deletions
diff --git a/sys/hardware/printing.nix b/sys/hardware/printing.nix
index 8280da9..30c6962 100644
--- a/sys/hardware/printing.nix
+++ b/sys/hardware/printing.nix
@@ -1,6 +1,7 @@
 { config, lib, ... }:
 with lib; let
   cfg = config.local.hardware.printing;
+  inherit (config.local.net) dhcpInterface;
 in
 {
   options.local.hardware.printing = {
@@ -13,13 +14,27 @@ in
   };
 
   config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = config.local.net.enable;
+        message = "Printing requires net";
+      }
+    ];
+
     services.avahi = {
       enable = true;
       nssmdns4 = true;
-      openFirewall = true;
+
+      # Abre 5353 en todas las interfaces (!!!)
+      openFirewall = false;
     };
 
     hardware.sane.enable = true;
+
+    networking.firewall.interfaces = mkIf (dhcpInterface != null) {
+      ${dhcpInterface}.allowedUDPPorts = [ 5353 ];
+    };
+
     services.printing.enable = true;
 
     users.users = listToAttrs (map
author	Alejandro Soto <alejandro@34project.org>	2024-08-15 14:50:15 -0600
committer	Alejandro Soto <alejandro@34project.org>	2024-08-15 14:50:15 -0600
commit	97e829e24e9fdb68d8e989c2703cee9803a2e82f (patch)
tree	9bc112fc1f2b108f90e9998229903a6dde130c19 /sys/hardware/printing.nix
parent	c110570f008472958bd700d04f02fa3d1f9209fe (diff)